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Nikita Kronenberg 

Sent: Friday, July 6, 2012 6:11 AM 

To: Steve Ocepek 





£0 You forwarded this message on 7/6/12 3:32 PM. 




(Show Forward ) 


Hello, 

Thank you for submitting to DEF CON 20, unfortunately you know by now 
that we are not going to be able to accept your submission. I was a 
little backed up at the end of the CFP this year and in an effort to 
get to you right away with our answer I kept it short. Therefore I 
needed to wait till I could compose your feedback. I know that you put 
a lot of effort into your submission and it's appreciated. More often 
than not, you may find that you got a few *'yes“ votes, but despite 
that fact you were still rejected, that is simply because of a lack of 
room. I know feedback is important to you, so if any comments were 
left by the review board they will be listed below. 


Hool 

thi: 

Plu: 

plu: 


This talk might offend sex workers. That said. 


This talk might offend sex workers. That said, I vote yes. 
I vote yes. This seems like a pretty slick MITM vector. 


(Please understand these are the reviewers comments to each other and 
are not necessarily directed at you) 

Thanks, 


Nikita Caine Kronenberg, 
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The Story So Far 


• Boy meets girl 

• Boy tries to impress girl 

• Hilarity 

• Girl goes out with foreign exchange student 

• 80 's music video montage 
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Boy Becomes a Man, in the Middle 

• Boy installs BT5 

• Boy follows girl into coffee shop 

• Boy uses ettercap to inject traffic into HTTP 
stream 
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An Offer She Cannot Refuse 
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WILL YOU GO OUT WITH ME 
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How a Boy Becomes a Man, 

In the Middle 


Girl 

How a Boy Becomes a Man, 

In the Middle 
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Girl 


Madam 


How a Boy Becomes a Mao, 

In the Middle 
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ARP Request: 
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ARP Request: 
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But now what? 


• Inject traffic into stream 

- UNC Path injection 

- Redirect to active site - session cookie stealing 

• Or just be a creep and watch 
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Why Does it Still Work? 


• Infrastructure problems 

• Security measures are available, but rarely 
employed 

• Often considered to be unpreventable "insider 
threat" like sitting at keyboard of server 

• Girls need to get to Facebook, always click YES 
eventually 
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Real World 

• Great way to pivot once access is obtained 


• Indications during investigations that these 
methods are used 

- Proof is hard to come by, because ARP is rarely logged 

• Commonly used in pentests 

- Great for recon data 

- The notorious UNC injection 
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ettercap 


• Feature-rich MITM framework 

• etterfilter allows modification on the fly 

• Recently picked up by new maintainers 

• Created by ALoR and NaGa 
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ALoR and NaGA 
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SSLStrip 


• Moxie's tool for changing https: references to 
http: 

• He recommends arpspoof for the actual MITM, 
arpspoof does the rest 
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thicknet 


• First MITM session takeover framework 

• Wendel Henrique and I created it for Oracle and 
MSSQL engagements 

• Currently in licensing talks 
for a new line of men's 
body spray 
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Cain and Abel 


• Windows based tool for sniffing, MITM, and 
credential cracking 

• Supports dozens of different types of hashes 

• Calculators for RSA tokens and Cisco type 7 
hashes 

• Point and click MITM 
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Cain and Abel 
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BeEF and Owning Browsers 
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Any Ideas? 


• If we were to target a network client application, 
which one would it be? 

• Preferably one with the ability to execute inline 
code. 

• Hmmmmm.... 

• Any ideas??? 
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Focus is good 


• thicknet is hard, every protocol needs its own 
implementation 

• The whole web model thing lets us put code into 
packets and execute it 

- Javascript, Flash 

• Would be nice if there was a project that made 
this easy 
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Yay BeEF! 

Browser Exploitation Framework 



"BeEF will hook one or more web browsers and use 
them as beachheads for launching directed 
command modules and further attacks against the 
system from within the browser context" 
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What is BeEF? 


• Allows an attacker to control browsers 

• Attacker "hooks" browsers, then called "zombies" 

• Interface with the browser is in JavaScript 

• Module design to easily extend new functionality 

• Interface with Metasploit 

• Cross-Protocol Exploits 

• Proxy 

• And more... 
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BeEF Injection? Surprise! 
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BeEF Injection 


• Enticing a browser to run JavaScript code 

• Beacons back to BeEF server 

• When new actions are available to run, executes 
code, response back with results 

• Typical injection points 

- Persistent XSS 

- XSS + Phishing 

- Phishing + malicious site 
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BeEF Console 



•¥ BeEF Control Panel 


J r* BeEF Basic Demo 
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3 Category: Browser (13 Items) 


Browser Name: Firefox 
Browser Version: 13 

Browser UA String: Mozia/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1 

Browser Plugins: Google Talk NR^PI Plugin-v.3.1.5.8167,Google Talk Plugin Video Accelerator-v.0.1.44.16,Shock 
Flash-v.11.3.300.257,Java Applet Plug-in-v.l3.8.0,SharePoint Browser Plug-in-v.l4.2.2,Siy/erlight Plug-ln- 
v.4.1.10329.0, WebEx 64 General Plugin Container-v.l.0,iPhotoPhotocast-v.7.0,QuickTime Plug-in 7.6.6-V.7.6.6 

Window Size: Width: 1457, Height: 837 

Java Enabled: Yes 
VBScript Enabled: No 
Has Flash: Yes 
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BeEF Challenges 


• You can't put it just anywhere 

• You have to find vulnerable web pages 

• Or make them 

• Have to get people to browse to your links 

• Phishing may tip off that there's a problem 

• Hooking is typically transient, your zombies may 
shamble away 
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BeEF Injection using Man In The Middle 


(picture redacted) 
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ettercap is awesome, but... 


• Unique issues with injecting web content 

• Limited to search and replace without changing 
packet size 

• Disable gzip hacks 

- Accept-Nanerpus 
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if (tcp.dst == 80 ) { 

if (replace("Accept-Encoding", "Accept-Nanerpus")) 

> 
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thicknet is awesome, but... | 

• Made for interactive session injection 

• Focused on DB protocols currently 

• Maybe a bit overkill for this use case 

• It's in Perl 

- Ruby wahhhhh 
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FINE I WILL MAKE YOU A TOOL AND IT 
WILL BE IN RUBY 

Let's call it shank 


rooti3bt:~/src/bhdev/scripts# ruby shank, rb 172.16.51.0/24 ethO 
alp: 

["172.16.51.1", {:nac=>"00:50:56:cO:00:08", :til»e=>2012-07-12 12:02:08 -0500}] 
["172.16.51.2", {:mac=>"00:50:56:ef:4f:b6", :ti»e=>2012-07-12 12:02:08 -0500}] 
[”172.16.51.254", {:Hiac=>"00:50:56:e4:a7:8f", :time=>2012-07-12 12:02:10 -0500}] 
poison 
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Features 

• Easy ARP poisoner / forwarder 

• Stateful 


• Few external dependencies 

- PacketFu 

• It sets Accept-Encoding: identity 

- No more nanerpus! 

- (Actual gzip mod is hard,hard,hard :P ) 

• shank is also a great verb 
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Ruby + MITM P e rformanc e 


• This was actually kind of a paint in the ass 

• Heavy use of bpf filters 

- All your favorites like 

- (tcp[ (tcp[ 12 ]»2 ) : 4 ] = 0x47455420 or top 
[ (tcp[ 12 ]»2 ) : 4 ] = 0x48545450) and port 
80 

- GET or HTTP matching, in bpf! 

• Multiple pcap sessions, multiple bpf filters 

- Let pcap do the work 

- Packet.parse() makes fan go WIRRRRRRR 
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BeEF Integration 


• Through BeEF's rest API, we can identify hooked 
browsers 

• Only poison hosts that aren't active zombies 

• Limit impact on the browser 

• Hook anything talking HTTP that can do 
JavaScript 

• Maintain hooks even if people leave pages 
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BeEF + Autorun 


• When browsers become zombies, a module can 
be run against them automatically 

• Autorun allows multiple modules to be run 

• Can do it smartly based on browser information 

• Launch information gathering modules 
immediately 

• Attacker can use the information for more 
targeted attacks 
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Putting It Together 


1. Browser requests page 

2. Shank downgrades encoding 

3. Web server response 

4. Shank Injects hook 

5. Browser hooked by BeEF 

6. Autorun launches modules 
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Initial Information Gathering 


• Fingerprint plugins for targeted exploit 

• Gather browser information 

• Current page views 

• Enable key logging 

• Send to NTLM capture modules for MSF 

• Run persistence modules 
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Demos 
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More Information 


• Browser Exploitation Framework 

- URL: http: //www. beef project, com/ 

- Rest API Information: 

https://qithub.com/beefproiect/beef/wiki/BeEF-RESTful- 

API 

• Ettercap 

- URL: http://ettercap.sourceforqe.net/ 

• Cain & Abel 

- URL: http://www.oxid.it/cain.html 
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Code / Contact Info 

1 

Shank and other scripts on github.com/spiderLabs 

- Available today! 

- Come on up for signed CD's 


Ryan Linn 

Qsussurro 

rlinn@trustwave.com 


Steve Ocepek 

Qnosteve 

socepek@trustwave.com 
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Big thanks to other SL folks 


• Michele Orru, BeEF project lead, for ideas and 
feedback. 

• Mike Ryan, for fixing and rewriting my Ruby code 
in like 10 minutes and making me feel, super. 
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